The MMG HOTELS LTD. (1077 Budapest, Baross sqr. 15. 5th. Fl. 1.) data protection registration number: NAIH-90200/2015. , a MMG HOTELS LTD, provider, data controller) as data controller, is bound by the content of this legal declaration. It undertakes to guarantee that its data management related to its service corresponds to the expectations defined in this guide and current legislation.

The scope of this guide covers the management of personal data of the provider on the www.mellowmoodhotels.com website and by using the service in the hotels of MMG HOTELS LTD.

The hotels of the MMG HOTELS LTD and their online portals or websites including the www.mellowmoodhotels.com are enlisted below:

This data management guide about the personal data on the websites and by using the hotel services is always available on the above specified websites.

The MMG HOTELS LTD reserves the right to change this guide anytime. The modifications of the guide enter into force by their publication on the websites. If this guide does not answer one of questions, then please write us and you will get a precise answer. The MMG HOTELS LTD does not take the responsibility for defaults due the use of the system. The MMG HOTELS LTD manages all personal data confidentially and takes all technical and organizational measures to guarantee the security of the data.

2. DEFINITIONS

2.1. personal data: data related to the client – particularly the name, identification number, one or more special knowledge about physiological, mental, economical, cultural or social identity or a conclusion derived from the personal data. The person can be considered particularly identifiable if he/she can be directly identified based on factors related to name, ID number, one or more physical, physiological, mental, economical, cultural or social character. 2.2. approval: the client declares voluntary and clear after he/she is properly notified that he/she agrees on the general or special management of personal data; 2.3. objection: declaration of the client, in which he takes an objection about the management of his/her personal data or he/she asks the termination or cancellation of data management; 2.4. controller: natural or legal person or certain types of entity which lack legal personality, who defines the goal of the data management and takes the decisions about data management (including the applied method) and carries out or makes carry out by an authorized controller; 2.5. data management: operation or set of operations on the data independently of the applied method, like collection, registration, archiving, organization, storage, modification, utilization, transfer, publication, modulation or association, blocking or delete, and blocking of future utilization. The production of photo, voice or video material, or archiving of physical features (like finger or palm print, DNA sample, iris picture) is considered as data management.; 2.6. transmission of data: if the data is transferred to the third-party; 2.7. publication: if the data is published; 2.8. data erasure: such a modification of the data, that they cannot be restored anymore; 2.9. data blocking: transfer, understand, publication, modification, erasure, association, modulation or utilization for unlimited or limited period of time; 2.10. data erasure: the erasure of data or physical destruction of the data storage system; 2.11. data elaboration: completion of technical tasks related to the data management independently of the applied method or device of the data management or the place of the application; 2.12. data processor: natural or legal person, certain types of entity which lack legal personality, who performs the processing of personal data authorized by the controller; 2.13. third party: natural or legal person, certain types of entity which lack legal personality, who is different from the client, data controller or data processor; 2.14. third country: all countries outside the European Economical Area.

3. BASIC PRINCIPLES OF THE MMG HOTELS LTD ABOUT DATA MANAGEMENT

The personal data can be managed a) if the client approves, or b) a law or regulation of the local municipality with the power in therein specified scope orders. The approval of the legal representative of a legally incapacitated and restricted capacitated minor is not required, because the declaration aim at the registration in everyday life and does not require any special consideration or knowledge. The personal data can be managed only for specific reason, for legal obligation or performance of duty. The data management should always fill this requirement. Only such a data can be managed where the goal of the data management requires this activity and is suitable for reaching the aim with the required extent and period. Personal data can be managed with the agreement based on proper notification. The client should be notified - unambiguously, clear and detailed – about all facts related to the data management, particularly about the person authorized for data management and processing, the duration of the data management, and about the group of people with right to access the data. The notification should cover the laws and legal remedies of the client as well. The personal data of the management have to fill the following requirements: a) their collection and management is fair and legitimate; b) precise, complete, and up-to date if it is required; c) the way of their storage makes it possible to identify the client only during the period required for the storage. It can be applied without any restriction, and it is prohibited to apply general and personal ID numbers. The personal data can be transferred to a third party and different data managements can be associated, if the client approves or the law allows this action and the requirements of the data management are filled for all personal data. The personal data (including the special data as well) can be transferred from the country to the data controller or data processor in third country, if the client approves or the law allows this action and the proper protection of the personal data related to the management or processing of transferred data is ensured in the third country independently of the data storage device and the way of data transfer. The data transfer to the countries of the European Economic Area can be considered as data transfer within Hungary.

4. SCOPE OF PERSONAL DATA, AIM, ITEM AND DURATION OF DATA MANAGEMENT

In the frame of the service the management of all personal data related to the client is based on personal approval. The MMG HOTELS LTD does not take responsibility for the accuracy of the transferred data of the user or guests.

4.1. THE DATA OF THE WEBSITE VISITORS

The MMG HOTELS LTD stores the IP address, the time of the visit, and the title of website during visit of any website by the client for technical reason, for reason to make statistics about user’s habits, and for reason to define and follow all basic principles and regulations about management of personal data of all natural persons contacted to the hotel, guests to protect the private sphere of the natural person according to the corresponding regulatory requirements. The server stores the data for a week. The provider sets a small data package, so-called cookie on the user’s computer to customize the service. The primary goal of this function is to distinguish new and returning users and to give a support for the login. The user can delete the cookie on his computer or set his/her browser to block the cookies.

4.2. DATA COLLECTION OF EXTERNAL PROVIDERS ON THE WEBSITE

The html code of online portals contains references inherited from external server and pointing to external server independent of the MMG HOTELS LTD.

4.3. REGISTRATION DATABASE

One part of the service of the MMG HOTELS LTD requires a registration.

Registration means a reservation of a room on the online portal and the given personal data in case of reservation of the room.

Any activity on the portal is not possible without registration. By the successful registration on the online portal of the MMG HOTELS LTD the data provided by the user during the registration are stored in the registration database. The goal of the management of the data in the registration database provided by the user is to ensure services available on the website of the MMG HOTELS LTD for registered users. The user can get an information about the scope of services required a registration on the website of the MMG HOTELSLTD.

The client approves by the registration that the provider manages his/her personal data to fill the requirement defined above.

The provider manages the personal data provided during the registration according to the goal defined in this point for undefined period of time and terminates the data management if the client declares in written form the withdrawal of his/her approval about the management of data aiming the goal defined in this point. In this case all data of the client in the registration database are deleted.

By the registration the client agrees according to the 6 paragraph of the Act XLVIII of 2008 about the basic requirements and certain restrictions of commercial advertisement that the MMG HOTELS LTD is authorized to use the data received by the MMG HOTELS LTD also for marketing purposes during the period of the data management. On the basis of this approval the MMG HOTELS LTD is (not exclusively) authorized to send for the client his/her post, e-mail or other messages, packages, newsletters or electronic advertisements, other notifications including the concierge electronic mail, which is sent by the MMG HOTELS LTD once automatically for all hotel guests after the booking to the provided e-mail address before the arrival of the guest in the hotel.

A concierge electronic mail might contain the following information:

- Program recommendation for Budapest including prices.

- Hop-On Hop-Off bus, baths, Budapest Card etc.

- Airport shuttle and taxi

- Possibility to register a newsletter

The MMG HOTELS LTD is authorized to use the personal data of the client for marketing purposes until the client withdraw this approval and informs the MMG HOTELS LTD in written form about his/her decision. It is considered also a withdrawal of the approval of the utilization of personal data for marketing purposes, if the client withdraws his/her approval about the use of his/her personal data by the provider in the registration database.

The provider manages the first and family name, e-mail address, phone, address, password, time of registration and IP address of the client.

The database contains information, whether the client has requested a newsletter or not. The user can decide about the registration of the newsletter during the registration. The data management related to the newsletter is described in separate section.

The modification of the majority of the provided data can be performed on the website. The complete erasure of the data, which can be considered as the withdrawal of the approval of the management of personal data, can be requested electronically indicated on the website or other way in written form defined in this guide.

4.4. NEWSLETTER

The user has the possibility to register to the newsletter service on the website of the MMG HOTELS LTD by providing his/her name and e-mail address. The subscription for the newsletter service can be done also in special menu point or by receiving of other services as well.

The provider informs the users, who are registered to the newsletter service, about recent news, recommendations and novelties. The content of the newsletters might be different according to the specified data by the users.

By providing his/her name and e-mail address during the registration to the newsletter service the user accepts that the provider sends for the user a newsletter as an e-mail message, or other recommendations, information materials and manages the personal data of the user according to the specified goal. According to this guide the provider is authorized to manage the data until the client declares in written form about the withdrawal of his/her approval about the data management for the goal specified in this point.

The provider can send occasionally other messages related to the service.

It can be unsubscribe from this newsletter service by clicking the –Unsubscribe from the newsletter (Leiratkozás a hírlevélről) menu point available in all newsletter. The unsubscription is considered as a withdrawal of the approval of the management of e-mail address provided by the user.

4.5. ROOM RESERVATION REQUEST

The user has the possibility to request a room reservation in the hotel operated by the MMG HOTELS LTD with the form available on the website. The user enters in the form for room reservation besides the data of the reservation (particularly the time of arrival and leave, number of guests etc.) his/her name, phone, e-mail address and address.

The user can declare on the form of the reservation request to subscribe for the newsletter. The rules related to the newsletter service are defined in a separate point.

4.6. HOTEL SERVICES REQUEST

The guest fills in a hotel registration form by requesting hotel services.

The guest agrees by signing the hotel registration form that the provider manages the obligatory data specified below to fill the requirements of the corresponding regulations (special regulations related to public prosecutor’s office, and tax of tourism) and to prove the performance of the obligations until the competent authority could check the performance of duties specified by regulations.

The obligatory specified data are the name, address, citizenship, place and time of birth. The specification of the obligatory data by the guest is a prerequisite for the hotel service request.

By signing the hotel registration form the guest allows the provider also to manage and archive his/her personal data by filling in the form in order to prove the validity and the completion of the contract for possible claim within the limitation period.

There is a possibility for the guest to approve the utilization of his/her personal data for marketing purpose until the MMG HOTELS LTD is authorized to manage his/her personal data. On basis of this approval the MMG HOTELS LTD is (not exclusively) authorized to send for the client his/her mails, e-mail or other messages, packages or other notifications.

The MMG HOTELS LTD is authorized to manage the personal data of the client for marketing purpose until the client withdraws in written form his/her approval about the data utilization for marketing purpose.

4.7. CONTACT

By sending the form including the name, the e-mail address, and the message available on the website you can contact to the provider. The messages are utilized by the provider under normal condition by archiving after completion of the request.

4.8. OTHER DATA MANAGEMENT

You are informed about the data management not enlisted in this guide during the data collection. You are informed that the court, public prosecutor and investigating authority is authorized to ask the provider to show and give your personal data and documents over (71st paragraph of the criminal proceeding). The MMG HOTELS LTD gives to the authority –after the authority defined the aim and scope of the data precisely- only such a personal data over in the meaning of quantity and quality, which is inevitable to reach the goal of the request.

5. THE WAY OF STORAGE OF PERSONAL DATA, SECURITY OF DATA MANAGEMENT

The MMG HOTELS LTD chooses and operates the informatics devices such a way that the during the service the personal data: a) should be accessible for eligible person (availability); b) authenticity and validation should be ensured (authenticity of data management); c) steadiness should be justified (data integrity); d) protected against illegal access (confidentiality of the data).

The MMG HOTELS LTD ensures the protection of your data with such technical and organizational measures, which provides a proper protection against the risks associated with data management.

The MMG HOTELS LTD maintain during the data management: a) confidentiality: protects the information, only the eligible person can get an access; b) integrity: protects the accuracy and integrity of the information and the processing method; c) availability: ensures for the eligible person the access to the desired information and the availability of the required devices.

The informatics system and the network of the MMG HOTELS LTD is protected against computer fraud, espionage, sabotage, vandalism, fire and flood, viruses, intrusions and attacks leading to refuse a service.

The provider ensures the security with measures on server and application level. We inform the users that the electronic messages are vulnerable against such threats- independently of the protocol (e-mail, web, ftp, etc.)- that lead to the illegal activity, contract conflicts or disclosure, modification of information. The provider takes all possible measures and precautions against these threads. The systems are controlled to fix all security defaults, and to provide a proof for all security events. The control enables also to check the efficiency of the precautions.

6. APPEAL POSSIBILITIES

The client has the right to ask information about the management of his/her personal data, request their correction- in exception of statutory data management- or erasure through the services on the website or via electronic contact on the website or via formal request in written form sent to the provider’s headquarter.

According to the request of the client the MMG HOTELS LTD as a data manager gives information about the managed data, the goal, plea and period of data management, name and address (headquarter) of data processor, the activity related to the data management, the list of persons who received the data and the goal of the data transfer. The data processor gives information in written form as soon as possible, within 30 days after the request is received.

The information is free of charge if the client has not requested from the data controller in the same year for information about the same topic. In other cases the MMG HOTELS LTD requests a data management fee.

The MMG HOTELS LTD erases the personal data if the data management is illegal, the client requests the erasure his/her data, the goal of the data management is not actual anymore, the period of the statutory data management has expired, the authority, or the court or data protection supervisor has requested the erasure.

The MMG HOTELS LTD informs the client and all other person who received the data about the modification, correction or erasure of the data.

The notification can be omitted if the omission does not undermine the legitimate interest of the client respecting the goal of the data management. The client has the right to protest against the management of his/her personal data, if a) the management (transfer) of personal data is required exclusively for the purposes of legitimate interest of the data controller or processor, except if it is about a statutory data management; b) utilization and transfer of personal data is for direct marketing, opinion polls or scientific research; c) nevertheless the law allows the exercising of the right of protest.

The MMG HOTELS LTD investigates the protest – with the simultaneous suspension of the data management - as soon as possible, within 15 days after the request is receipt and informs the client about the result of the investigation. If the protest is justified the data controller suspends and blocks the data management including the collection and transfer of further data and informs the third parties who received the transferred data and the clients who are obliged to take measures to assert their rights, about the protest request and the measures taken thereafter (suspension of data management).

If the client does not agree with the decision of the data controller, has the right to apply for the court within 30 days after receipt of order.

The MMG HOTELS LTD has not right to erase the data of the client if it is about statutory data management. It is not allowed to transfer the data to the receiver, if the data controller approved the protest or the competent court accepted the justification of the protest.

In case of infringement of the client’s right by the data controller, the client has the right to apply for the court. The court orders the case with a priority.

The MMG HOTELS LTD refunds all damages, which caused by illegal management of client’s data or infringement of the requirements of technical data protection.

The data controller does not take the responsibility for the damage if it is caused by any unavoidable circumstances outside the scope of the data management.

The data controller does not take the responsibility for the damage if it is caused intentionally or with gross negligence.